|
The MATR's Privacy Policy
PREAMBLE The Mid-Atlantic Twin Registry ("MATR"), based at Virginia Commonwealth University's Medical College of Virginia, is a registry (database) of information about twins and their families who are willing to consider taking part in research projects on various health and behavioral problems. The MATR gives priority to protecting the privacy interests of individuals in the handling of personally identifiable information collected by the MATR in our efforts to locate twins who may be eligible to participate in the MATR and in support of research efforts. Therefore, MATR has developed and adopted comprehensive Privacy Principles ("Principles") for the processing of personally identifiable information. SCOPE These Principles apply to all personally identifiable information about individuals that we collect, maintain, use, or disclose. "Personally-identifiable information" is information in any form or medium: 1) That identifies the individual, or 2) With respect to which there is a reasonable basis to believe that the information can be used to identify the individual. Personally-identifiable information does not include information from which the identifiers (such as name, address, and social security number) have been removed, encrypted, or replaced with a code, such that the identity of the individual is not evident or, in the case of encrypted or encoded information, is not evident without use of a key that is maintained separately from the information. COLLECTION AND USE The MATR collects and uses personally identifiable information only in a lawful manner and only for relevant and appropriate administrative and research-related functions. We know that personally identifiable information can be sensitive. Therefore, we take care to ensure that we only collect information and ask questions that may be useful in the identification and registration of participants and their families or useful for current or future research projects. Of course, we also ask MATR participants to keep us informed of their current address so that we can remain in touch. The MATR uses personally identifiable information for research purposes, including identifying potential candidates for research projects and in administering the registry (contacting participants, for example). We also may use personally identifiable data to create encoded or anonymized data for use in aggregate or statistical reports or for use in research projects where the research does not require access to personal identifiers. We believe that the individual is often the best source of information about himself or herself. Therefore, to the extent practical and appropriate, we collect personally identifiable information directly from the individual. In those cases in which it is necessary to collect personally identifiable information from others, we use only sources that we believe to be reputable and take measures to ensure that the privacy interests of individuals are respected. Examples of personally-identifiable information we may obtain from third parties include birth, marriage, and death data obtained from state agencies and contact information obtained from sources including relatives, schools, state departments of motor vehicles and private-sector companies. RETENTION Personally identifiable information is kept in an identifiable format only as long as needed to meet the purposes for which it was collected. The MATR does not retain personally identifiable information that is no longer required for research purposes or the ongoing administration of our relationship with the participant. Upon request we will anonymize or delete the personally identifiable information we maintain about the participant. Occasionally, registrants withdraw from the MATR and request that information about them be anonymized or deleted. We honor such requests, but we do retain basic contact information such as name and address, on a "do not contact" list to ensure that we do not re-contact the individual. NOTICE We provide notice to individuals of the types of personally identifiable information we collect, the purposes for which we collect such information, the parties to whom we disclose personally identifiable information, and our privacy and information safeguards, including rights of access and correction. Personally identifiable information is essential to the operation and continued success of the MATR. We believe that individuals who are educated about our information needs and practices are better able to decide whether to participate in the MATR and more likely to support our efforts. Therefore, we take steps to provide the participants and prospective participants whom we identify with notice of our information practices, and we make these practices available to others who request them. CONSENT We obtain consent before collecting, using, or disclosing personally identifiable information about participants and prospective participants, except as necessary to identify and recruit prospective participants. We also obtain the permission of individuals before we will permit outside researchers to contact them. When collecting family medical history information about participants, we will obtain the consent of identifiable relatives to the extent required by the Institutional Review Board that oversees our operations. We obtain a participant's consent before collecting, disclosing, or using a participant's personally identifiable information. We do not, however, seek the consent of prospective participants before we identify them as candidates. If we contact a prospective participant and he or she declines to participate in the MATR, we add the name and address of the individual to our "do not contact list" so that we will not contact that person again, but we do not otherwise retain personally identifiable information about the individual. It is often critical to the success of our research to obtain information about a participant's family medical history, which may mean that we will collect personally identifiable information about relatives of the participant. When seeking information about identifiable relatives of participants, we will seek the consent of the relative whenever required to do so by the federally mandated Institutional Review Board that oversees our operations. INTERNAL ACCESS The MATR restricts access to personally identifiable information to those employees who need such access to carry out their assigned functions. Employees must have a legitimate need to know any personally identifiable information they access, and they are prohibited from "browsing" through personally identifiable information we maintain. EXTERNAL DISCLOSURES Disclosure of personally identifiable information beyond the MATR's agents and contractors is made only with the permission of the participant or as required by law or legal process. The MATR requires agents and contractors to whom the MATR discloses personally identifiable information to comply with these Principles and specifically to refrain from any further disclosures not authorized by the MATR. We know that the disclosure of personally identifiable information to third parties may pose privacy risks. In order to minimize these risks, we do not voluntarily disclose personally identifiable information about participants to third parties, including researchers, without the permission of the participant. We do, however, disclose personally identifiable information to the agents and contractors that assist us in carrying out certain administrative functions, such as the processing of MATR questionnaires. In addition, we prohibit published reports of research conducted using MATR participants and MATR data from including personally identifiable information about participants or their families. ACCURACY The MATR employs all reasonable means to keep personally identifiable information about participants and their families accurate and up-to-date for the purposes for which it is collected and used. We encourage all participants to assist us in keeping the personally identifiable information we maintain about them and their families accurate and current. Much of the information contained in the MATR is information that is provided by the participant, rather than information that is obtained from verifiable medical sources. Researchers using MATR data are aware that some of the information made available to them is the result of self-reporting and evaluate that information accordingly. ACCESS AND CORRECTION The MATR provides participants and prospective participants about whom it maintains personally identifiable information with the opportunity to examine their information, challenge its accuracy and completeness, and to have it amended as appropriate. Upon request, participants and prospective participants shall be given access to the personally identifiable information the MATR holds about them. If the participant or prospective participant is a minor, his or her parent or guardian may also access the records. The only exceptions to this policy are cases for which granting access would violate the privacy of another individual or instances where we are legally prohibited from releasing information directly to the individual. For example, some of the state agencies that provide us with information for research purposes sometimes prohibit us from disclosing that information. If that were to be the case, we would direct the individual to the agency that provided the information. We only extend access rights to individuals on whom we maintain indexed records. This typically includes participants and prospective participants, and the parents of minors who are participants or prospective participants. We do not index and do not provide access to personally identifiable information about others, such as relatives, that may be included in an individual's file. If notified that personally identifiable information we maintain is incorrect, we will either correct the information or direct the individual to the source of the information for correction. SECURITY The MATR uses rigorous administrative, technical, personnel, and physical measures reasonably calculated to safeguard personally identifiable information concerning registry participants and their families against loss, theft, and unauthorized uses or modifications. The MATR believes that data security is an integral part of privacy protection. Therefore we take steps to maintain the security of personally identifiable information in our possession. The MATR data system, for example, is located in a secured office suite that is accessible by only a limited number of personnel. MATR databases containing personally identifiable information about participants are not accessible via the Internet, and personally identifiable information is maintained in a database separate from any other information that the participant provides to the MATR. In addition, the MATR periodically undergoes a professional security audit. COMPLIANCE The MATR has appointed a senior official to serve as Chief Privacy Officer ("CPO"). The CPO is responsible for the implementing and overseeing the administration of these Principles. The MATR actively works to ensure compliance with these Principles, as well as with applicable law or contractual agreements on handling of personally identifiable information. Compliance measures include:
Holding employees, agents, contractors, and researchers accountable for violations of these Principles, with sanctions, including the possibility of legal action and termination of contracts and employment. Responsibilities of CPO include:
|
